Policy Packs
Enforce AWS KMS Keys Allow Only Approved Action Permissions

Policy Setting: AWS > KMS > Key > Policy Statements > Approved > Rules

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_kms_key_policy_statements_approved_rules" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApprovedRules"
template_input = <<-EOT
{
item: key {
policy: get (path:"Policy.Statement")
metadata
}
}
EOT
template = <<-EOT
REJECT $.Action:/^kms:(DescribeCustomKeyStores|ConnectCustomKeyStore|DeleteCustomKeyStore|DisconnectCustomKeyStore|UpdateCustomKeyStore|CreateCustomKeyStore|DisableKeyRotation|List\*|Get\*|Describe\*|\*)$/
{% if $.CustomerMasterKeySpec != "SYMMETRIC_DEFAULT" -%}
REJECT $.Action:/^kms:(GetPublicKey|Verify|Sign)$/
{%- endif %}
REJECT $.Action:/^kms:(Encrypt|Decrypt)$/ !$.Condition.StringEquals."kms:ViaService":"lambda.{{$.item.metadata.aws.regionName}}.amazonaws.com","secretsmanager.{{$.item.metadata.aws.regionName}}.amazonaws.com"
EOT
}